CVE-2023-22518: A Critical Vulnerability in Atlassian Confluence

Atlassian, a leading software development company, has recently discovered a severe security flaw in its Confluence Data Center and Confluence Server products.

The vulnerability, identified as CVE-2023-22518, is classified as an “improper authorization vulnerability.” This essentially means that an attacker, even if unauthenticated, could exploit this weakness to gain unauthorized access or privileges within a Confluence system.


Atlassian has rated the vulnerability as 9.1/10 severity on the Common Vulnerability Scoring System (CVSS), which means that it is considered to be a very serious vulnerability. The company has also stated that it has received no reports of active exploitation of the vulnerability at this time, but that customers should take immediate action to protect their instances.

All customers who are using the Confluence Data Center or Confluence Server are at risk from CVE-2023-22518. This includes customers who are using hosted Confluence instances, as well as customers who are running Confluence on their own infrastructure.

In an official statement, Atlassian elucidated: “As part of our continuous security assessment processes, we have discovered that Confluence Data Center and Server customers are vulnerable to significant data loss if exploited by an unauthenticated attacker.

If you’re using Confluence, take a deep breath and read on. Here’s what you need to do:

  1. Update Immediately: Atlassian has rolled out patches to address the vulnerability. It’s imperative that affected installations are updated to one of the following versions:
    • Confluence Data Center and Server 7.19.16
    • 8.3.4 or later
    • 8.4.4 or later
    • 8.5.3 or later
    • 8.6.1 or later
  2. Backup: Before you do anything, make sure to back up your instance. Check out Atlassian’s backup guide for detailed instructions.
  3. Going Offline: If for some reason you’re unable to patch your instance immediately, consider taking it off the internet as a temporary countermeasure. This means any instance accessible to the public internet, even those behind user authentication, should be restricted until you can apply the patch.